I need to reach an external IPv6 address from a network namespace.
In my host I have setup a SIT tunnel (IPv6-in-IPv4) that does tunnelling of IPv6 packets and sends it through the default interface (eth0). The SIT tunnel relies on the Hurricane Electric tunnel broker service. I can ping an external IPv6 address from the host.
$ ping6 ipv6.google.com
PING ipv6.google.com(lis01s13-in-x0e.1e100.net) 56 data bytes
64 bytes from lis01s13-in-x0e.1e100.net: icmp_seq=1 ttl=57 time=98.1 ms
64 bytes from lis01s13-in-x0e.1e100.net: icmp_seq=2 ttl=57 time=98.7 ms
Here are some details about the tunnel:
$ ip -6 route sh
2001:470:1f14:10be::/64 dev he-ipv6 proto kernel metric 256
default dev he-ipv6 metric 1024
Here comes the interesting part. For reasons that are beyond the scope of this question, I need to do the same thing (ping ipv6.google.com) from within a network namespace.
Here is how I create and setup my network namespace:
ns1.sh
#!/bin/bash
set -x
if [[ $EUID -ne 0 ]]; then
echo "You must run this script as root."
exit 1
fi
# Create network namespace 'ns1'.
ip netns del ns1 &>/dev/null
ip netns add ns1
# Create veth pair.
ip li add name veth1 type veth peer name vpeer1
# Setup veth1 (host).
ip -6 addr add fc00::1/64 dev veth1
ip li set dev veth1 up
# Setup vpeer1 (network namespace).
ip li set dev vpeer1 netns ns1
ip netns exec ns1 ip li set dev lo up
ip netns exec ns1 ip -6 addr add fc00::2/64 dev vpeer1
ip netns exec ns1 ip li set vpeer1 up
# Make vpeer1 default gw.
ip netns exec ns1 ip -6 route add default dev vpeer1
# Get into ns1.
ip netns exec ns1 /bin/bash --rcfile <(echo "PS1=\"ns1> \"")
Then I run ns1.sh and ping veth1 (fc00::1) vpeer1 (fc00::2) from 'ns1'.
ns1> ping6 fc00::1
PING fc00::1(fc00::1) 56 data bytes
64 bytes from fc00::1: icmp_seq=1 ttl=64 time=0.075 ms
^C
ns1> ping6 fc00::2
PING fc00::2(fc00::2) 56 data bytes
64 bytes from fc00::2: icmp_seq=1 ttl=64 time=0.056 ms
However, if I try to ping an external IPv6 address:
ns1> ping6 2a00:1450:4004:801::200e
PING 2a00:1450:4004:801::200e(2a00:1450:4004:801::200e) 56 data bytes
^C
--- 2a00:1450:4004:801::200e ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1008ms
All packets are loss.
I opened veth1 with tcpdump and checked what's going on. What I'm seeing is that Neighbor Solicitation packets are reaching the interface. These packets are trying to resolve the MAC address of the the IPv6 destination address:
$ sudo tcpdump -qns 0 -e -i veth1
IPv6, length 86: fc00::2 > ff02::1:ff00:200e: ICMP6, neighbor solicitation,
who has 2a00:1450:4004:801::200e, length 32
IPv6, length 86: fc00::2 > ff02::1:ff00:200e: ICMP6, neighbor solicitation,
who has 2a00:1450:4004:801::200e, length 32
I don't really understand why this is happening. I have enabled IPv6 forwarding in the host too but it had no effect:
$ sudo sysctl -w net.ipv6.conf.default.forwarding=1
Thanks for reading this question. Suggestions welcome :)
EDIT:
Routing table in the host:
2001:470:1f14:10be::/64 dev he-ipv6 proto kernel metric 256
fc00::/64 dev veth1 proto kernel metric 256
default dev he-ipv6 metric 1024
I added a NDP proxy in the host, that solves the NDP solicitations. Still the address is not reachable from the nsnet (looking into this):
sudo sysctl -w net.ipv6.conf.all.proxy_ndp=1
sudo ip -6 neigh add proxy 2a00:1450:4004:801::200e dev veth1
ULAs are not routable
You have given an Unique Local Address (fc00::2) to the network namespace: this IP address is not routable in the global internet but only in your local network.
When your ISP receives the ICMP packet coming from this address it will drop it. Even if this packet was successfully reaching ipv6.google.com, it could not possibly send the answer back to you because there is no announced route for this IP address.
Routing table problem (NDP notications)
You get NDP notifications because of this line:
ip netns exec ns1 ip -6 route add default dev vpeer1
which tells the kernel that (in the netns) all IP address are directly connected on the vpeer1 interface. The kernel thinks that this IP address is present on the Ethernet link: that's why it's trying to resolve its MAC address with NDP.
Instead, you want to say that they are reachable through a given router (in your case, the router is your host):
ip netns exec ns1 ip -6 route add default dev vpeer1 via $myipv6
Solutions
You can either:
associate an public IPv6 address (of your public IPv6 prefix) to your netns and setup a NDP proxy on the host for this address;
subnet your IPv6 prefix and route a subnet to your host (if you can);
use NAT (bad, ugly, don't do that).
You should be able to achieve the first one using something like this:
#!/bin/bash
set -x
myipv6=2001:470:1f14:10be::42
peeripv6=2001:470:1f14:10be::43
#Create the netns:
ip netns add ns1
# Create and configure the local veth:
ip link add name veth1 type veth peer name vpeer1
ip -6 address add $myipv6/128 dev veth1
ip -6 route add $peeripv6/128 dev veth1
ip li set dev veth1 up
# Setup vpeer1 in the netns:
ip link set dev vpeer1 netns ns1
ip netns exec ns1 ip link set dev lo up
ip netns exec ns1 ip -6 address add $peeripv6/128 dev vpeer1
ip netns exec ns1 ip -6 route add $myipv6/128 dev vpeer1
ip netns exec ns1 ip link set vpeer1 up
ip netns exec ns1 ip -6 route add default dev vpeer1 via $peeripv6
# IP forwarding
sysctl -w net.ipv6.conf.default.forwarding=1
# NDP proxy for the netns
ip -6 neigh add proxy $myipv6 dev veth1
Related
Can I change the router's interface ip to a new one?
No matter in the dashboard or terminal, if we can change the ip?
Yes, you can.
1: neutron router-list
note down the id of router of whose you want to change interface IP address.
2: ip netns
to see the namespace of router. It would be qrouter-{idOfRouter}
3: ip netns exec qrouter-{idOfRouter} ifconfig
to check if the selected namespace if of the desired router or not.
4: ip netns exec qrouter-{idOfRouter} ifconfig <port-name> <newIPOfSameClass>
to change the ip address of the interface
5: ip netns exec qrouter-{idOfRouter} ifconfig <port-name>
to check if interface ip has changed or not.
This might help.
On my development machine, I can see the following DHCP traffic on eth1 port:
sudo tcpdump -i eth1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
09:51:58.785056 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP,
Request from 00:06:31:c7:1e:23 (oui Unknown), length 315
09:51:58.785384 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP,
Request from 00:06:31:c7:1e:23 (oui Unknown), length 315
09:51:59.786677 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP,
Request from 00:06:31:c7:1e:23 (oui Unknown), length 315
I want to see this same traffic in my Vagrant VM. So I want to bridge the eth1 port on my development machine to some port on my Vagrant VM. I also want to be able to send network traffic from my Vagrant VM back onto the eth1.
Using the answer in the following question:
https://superuser.com/questions/752954/need-to-do-bridged-adapter-only-in-vagrant-no-nat
I added this to my Vagrantfile:
config.vm.provision "shell",
run: "always",
inline: "route -A inet6 add deault gw fc00::1 eth1"
But I don't really know what this does, except that it seems to only route ipv6 traffic? Could someone help explain how to bridge eth1 to a port on my Vagrant VM?
I also tried the following in my Vagrantfile:
Vagrant::Config.run do |config|
config.vm.network :bridged
end
yet after I do vagrant up again, I still don't see any port (using ifconfig) in my VM that has the DHCP traffic.
After reading up on Vagrant, I found a solution that worked for me.
Firstly, I ran the following command on my host machine:
sudo ip route add 192.168.1.0/24 dev eth1
My understanding is that this routes traffic from eth1 physical port to 192.168.1.0 IP address.
Then, in my Vagrantfile I added the following under Vagrant.configure(2) do |config|:
config.vm.network “public_network”, bridge: “eth1”
config.vm.network “public_network”, ip: “192.168.1.0”
After doing vagrant destroy and vagrant up, I now see a new port in my vagrant VM (enp0s8), that if I do tcpdump on I see the DHCP traffic (and other traffic) that is arriving on my eth1 port on my host machine.
Not sure if this is the best solution, as I am still very new to vagrant and VirtualBox, but this worked for me.
I have two PC in same subnet and connected via switch. When I do arp -a the other IP address is shown but I cant ping the other PC.
It is shown in arp, but maybe it is cached, and currently not reachable. Try the following command, which outputs its current cache state:
ip neigh
For example, on my personal laptop, I have a wireless adapter (wlan0) and a wired one (eth0), both connected to the same network (my home router). With arp -a it displays
? (192.168.1.1) en xx:xx:xx:xx:xx:xx [ether] en wlan0
? (192.168.1.1) en xx:xx:xx:xx:xx:xx [ether] en eth0
and with ip neigh it shows
192.168.1.1 dev wlan0 lladdr xx:xx:xx:xx:xx:xx STALE
192.168.1.1 dev eth0 lladdr xx:xx:xx:xx:xx:xx REACHABLE
As seen with ip neigh, the wireless one is in the STALE state, cause it is not being used, but arp -a does not displays it.
Here is the topo: HostA(eth0) ---- (eth0)HostB
I have created a tun/tap device on HostB, for say tun0 or tap0. When eth0 of HostB receives a packet from HostA, maybe a ICMPv6(NS, echo request, etc.) or a UDP/TCP packet(encapsulated with IPv6 header), I want to forward this packet from eth0 to tap0. After doing something to this packet, I also want to send a reply back to HostA, through tap0 and eth0.
I cannot find a way to do that, can some one help me or give some hints?
This is an extremely basic routing question, probably unsuitable for Stack Overflow.
You need something like this on Host B:
HostB# sysctl -w net.ipv6.conf.all.forwarding=1
HostB# ip -6 addr add 2001:db8:0:0::1/64 dev eth0
HostB# ip -6 addr add 2001:db8:0:1::1/64 dev tun0
Then on Host A:
HostA# ip -6 addr add 2001:db8:0:0::2/64 dev eth0
HostA# ip -6 route add default via 2001:db8:0:0::1 dev eth0
HostA# ping6 2001:db8:0:1::2 # <-- should work if that host exists on tun0
I have two virtual TAP interfaces tap0 and tap1 on my machine. They have IPs 10.0.0.1 and 10.0.0.2 respectively. They are both connected to each other using socat. Both have netmasks 255.255.255.0 (and hence are on the same subnet). With this setup, I try pinging 10.0.0.2 through tap0 and vice versa. This doesn't seem to work for some reason. Although tcpdump shows ARP packets from tap0 reaching tap1, there are no ARP replies and hence no ICMP requests and hence no ICMP replies. Using a TUN device instead of a TAP device bypasses the ARP request/response cycle, but now the ICMP requests show up at tap1 with no ICMP response coming back.
I have tried a couple of things like enabling ip_forward ( echo 1 > /proc/sys/net/ipv4/ip_forward) and disabling reverse path filtering ( echo 0 > /proc/sys/net/ipv4/conf/tap0/rp_filter and echo 0 > /proc/sys/net/ipv4/conf/tap1/rp_filter ).
Here are the commands to reproduce my problem :
sudo socat TUN:10.0.0.1/24,tun-type=tap TUN:10.0.0.2/24,tun-type=tap
sudo ifconfig tap0 10.0.0.1 netmask 255.255.255.0
sudo ifconfig tap1 10.0.0.2 netmask 255.255.255.0
ping -Itap0 10.0.0.2
tcpdump -Itap0 -n
tcpdump -Itap1 -n